Nearly $900K Paid Out In Crypto Bug Bounties On HackerOne In 2018

New statistics from HackerOne reveal that the platform handled $878,504 in crypto bug bounty rewards over the course of 2018. HackerOne is a major platform that allows white hat hackers to report security vulnerabilities and receive financial rewards in return. Leading news site The Next Web (TNW) originally obtained these figures, and many other interesting statistics were brought to light in the process.

The Statistical Breakdown

It seems that crypto bug bounties are dominated by a few big companies. According to The Next Web, EOS parent company Block.one remains the highest spender, as it has paid out $534,500 over the course of the year. By August, the company had paid out $417,000, a large portion of that amount.

Other big spenders include Coinbase, which has spent a total of $290,381, and TRON, which has spent a total of $76,200. However, this data includes pre-2018 spending, meaning that the comparison with Block.one is not direct. The two organizations have nevertheless paid out a substantial amount of rewards.

Despite the fact that plenty of money was spent on bug bounties, blockchain tech seems to remain a niche. Only 4% of all bug bounties on HackerOne were crypto- or blockchain-related, and just 64 of the 2000+ companies on the platform fall into those categories. On the bright side, blockchain and crypto companies offered substantially above-average rewards to hackers.

The Importance Of Bug Bounties

Bug bounties are a vital part of any crypto project due to the fact that user funds are directly at stake whenever a bug arises. Ensuring that each bug is disclosed privately―and ensuring that malicious attackers are unable to exploit each bug―is critical.

This is true regardless of the scale of the project: wallets, dApps, exchanges, and entire blockchains all fund bug bounties regularly. Over the course of the year, EOS, Ontology, Augur, and Robinhood have made notable efforts to make their bounties more appealing to white hat hackers and security researchers.

Much of the appeal of bug bounties comes from the fact that there is power in numbers: this approach allows developers to make use of diverse crowdsourced knowledge in addition to a specialized security team. HackerOne, for example, brings together more than 300,000 users with various areas of expertise.

Furthermore, HackerOne is just one site: some projects run independent bug bounties that are not accounted for in HackerOne’s numbers. Plus, small projects are often able to receive bug reports without issuing rewards, meaning that some bug disclosure is invisible and thriving on the good will of the community.